The Cybersecurity Maturity Model Certification (CMMC)
The Ultimate Guide to

The Cybersecurity Maturity Model Certification

What is CMMC compliance?

Decorative women working in office environment

The Department of Defense (DoD) knows that security is a foundational aspect of all purchase decisions and should not be sacrificed for cost, schedule, or performance. The Cybersecurity Maturity Model Certification (CMMC) program is intended to verify whether or not contractors in the Defense Industrial Base (DIB) have implemented contractually obligated levels of cybersecurity practices and processes in order to protect controlled unclassified information (CUI) and Federal Contract Information (FCI) that reside on the DIB’s networks.

CMMC is implemented by 32 CFR Part 170 and the 48 CFR rule. 32 CFR (or CFR Title 32) is the policy regulation that describes the details of the program, levels of CMMC, what requirements are being verified by CMMC, and roles and responsibilities of the ecosystem. This final 32 CFR rule was published in October of 2024 and officially went into effect on December 16, 2024.

Learn more about the CMMC framework and final rule from our partners at the Hotman Group.

Who must meet CMMC requirements?

Every organization or business that sells to or services the Department of Defense (DoD) must meet CMMC requirements if they handle CUI or FCI in the performance of the DoD contract.   Clauses contracting officers placed in DoD contracts will dictate the level of CMMC certification required.

What are the CMMC levels?

The CMMC program requirements are tiered; requirements are generally defined within contractual agreements for services provided to the DoD and its contractors. The nature of these contractual requirements depends on the relationship of the organization with the DoD (eg., prime, sub-contractor) and whether they process FCI or CUI. The CMMC 2.0 model identifies three maturity levels (ML) of cyber hygiene. 

CMMC 2.0 Level 1

This level is intended for DIB companies that handle FCI but not CUI and requires compliance with 17 basic cyber hygiene practices. Only contractors handling FCI must perform a CMMC Level 1 self-assessment annually—CMMC does not necessarily apply to all DIB contractors. All DIB contractors at this maturity level are required to self-assess annually to Level 1 requirements. This is equivalent to meeting the requirements in FAR 52.204-21.

Companies at Level 1 in CMMC 2.0 must submit  an annual self-assessment in DoD’s Supplier Performance Risk System (SPRS) before they are awarded any CMMC Level 1 contracts or subcontracts. An annual affirmation of compliance with the requirements of CMMC 2.0 Level 1 signed by a company officer stating that the answers provided in the annual self-assessment are accurate and complete is required.  All security requirements within level 1 must be fully met, so a  Plan of Action and Milestones (POA&M), which identifies outstanding weaknesses in the system, cannot be submitted with the Level 1 self-assessment.

CMMC 2.0 Level 2

This level applies to DIB companies that receive controlled unclassified information (“CUI”) and aligns with the requirements under NIST SP 800-171 revision 2 — a set of safeguards and requirements for protecting the confidentiality of controlled unclassified information (CUI). There are 110 controls for CMMC Level 2 with 320 assessment objectives that need to be satisfied. CMMC Level 2 is triggered by the inclusion of the DFARS 252.204-7012 clause in contracts for products and services provided to the DoD. This contract will stipulate whether the Level 2 assessment can be self-attested or must be completed by a third-party assessment organization.

Most DoD contractors will require CMMC Third-Party Assessment Organization (C3PAO) assessments every three years with a yearly SPRS update. Level 2 assessments are generally submitted via EMASS by the assessor. DFARS 252.204-7020 has a scoring methodology used by assessors in which each NIST 800-171 r2 requirement is weighted based on its criticality. A Level 2 assessment by a C3PAO assigns a numerical score between -203 and 110. Organizations must achieve a minimum score (typically 88 or higher) and have an approved POA&M to pass. A failing score below the threshold with unresolved deficiencies means non-compliance. Weaknesses identified during the assessment can be submitted as part of the Plans of Action and Milestones. Those controls not met in the initial assessment can be addressed with POA&Ms within 180 days and a subsequent close-out assessment to receive certification. However, not all controls are eligible for POA&Ms, so be aware of this when preparing for assessment. 

Once CMMC is fully implemented, contractors and sub-contractors must have the required level certification (or completed self-assessment for Level 1) prior to contract award.

CMMC 2.0 Level 3

Level 3 companies will require a government-led certification by the Defense Contract Management Agency (DCMA) Defense Industrial Base Assessment Center (DIBCAC). DIBCAC assessments apply to Level 3 but are not always required immediately at contract award. Contractors may receive conditional certification if certain controls are incomplete but have an approved POA&M. This level will apply to only the most sensitive and high-risk DoD projects and has an additional 24 requirements contractors must meet from NIST 800-172. Those organizations subject to a DIBCAC High in the past are strong candidates for a Level 3 requirement; only 1% of the DIB is affected.

Using subcontractors and external service providers

Decorative man working on computer

DoD prime contractors must ensure that every subcontractor throughout their supply chain meets or exceeds the minimum CMMC certification level specified in the contract before any award is made. This “flow-down” requirement guarantees that all tiers—from prime contractors to the smallest subcontractors—maintain the appropriate cybersecurity safeguards. In addition, when contractors engage External Service Providers (ESPs), such as Managed Service Providers (MSPs) or Cloud Service Providers (CSPs), these vendors must also meet the relevant CMMC requirements if they have access to, process, store, or transmit Controlled Unclassified Information (CUI). Specifically, ESPs handling CUI are generally required to achieve at least CMMC Level 2 certification, ensuring their security posture is robust enough to protect sensitive data. Moreover, a 2024 memo from the DoD clarifies that CSPs must either maintain compliance with DFARS 252.204-7012 requirements or demonstrate FedRAMP Moderate status. This comprehensive approach to vendor management helps protect the integrity of the Defense Industrial Base and ensures that cybersecurity standards are consistently enforced across all entities involved in the contract.

Misrepresentations in CMMC documentation and implementation

Under the current CMMC framework, accurate documentation and honest representation of your cybersecurity posture are absolutely critical. The Department of Defense (DoD) is prepared to enforce compliance through the False Claims Act (FCA) and other legal avenues. Contractors and subcontractors who knowingly misrepresent their cybersecurity practices, provide deficient controls, or fail to monitor and report cyber incidents put U.S. information and systems at risk and may face severe consequences. These can include substantial fines, contract penalties, criminal charges, and the issuance of stop-work orders if an audit reveals non-compliance. While False Claims Act (FCA) enforcement is a risk, misrepresentations regarding cybersecurity compliance are more commonly pursued under DFARS breach penalties and contract fraud provisions.

All DoD contractors, from CMMC Level 1 through Level 3, must submit annual attestations via the Supplier Performance Risk System (SPRS), confirming that their cybersecurity programs fully meet the mandated requirements. Maintaining transparent and accurate records is not only a regulatory necessity—it is a fundamental part of safeguarding the defense industrial base.

Determining your CMMC level

Under the revised CMMC rule, the DoD contract solicitation defines the minimum CMMC level and assessment type required—you don’t get to choose your own level. In other words, the solicitation or requiring activity will specify the cybersecurity maturity level you must achieve (and whether it should be a self-assessment or a third-party (C3PAO) assessment) in order to bid on and receive the contract. While you may choose to pursue a higher level if it aligns with your strategic goals, you must at least meet the level specified in the solicitation to be eligible for award.

For more detailed information, read the Department of Defense’s official memorandum for determining your CMMC level.

In practical terms:

FCI-only contracts: If your contract covers only Federal Contract Information (FCI), you will likely need to achieve CMMC Level 1 through a self-assessment.

CUI contracts: If your contract involves Controlled Unclassified Information (CUI) under DFARS 252.204-7012, you must meet CMMC Level 2. Depending on the solicitation, this could be either a self-assessment or a third-party C3PAO certification.

High-sensitivity contracts: For contracts that require additional safeguards—typically involving a more critical subset of DoD programs—you will need to achieve CMMC Level 3, which generally entails a government-led DIBCAC assessment.

Meeting the minimum CMMC level indicated in the contract is a prerequisite for award, ensuring that all contractors in the Defense Industrial Base meet uniform cybersecurity standards

What you can do to prepare for CMMC

In preparation for a CMMC assessment, organizations handling Controlled Unclassified Information (CUI) should begin by adopting the security requirements outlined in NIST SP 800-171 Revision 2—the foundation for CMMC Level 2 compliance. Forward-thinking organizations may also review NIST SP 800-171 Revision 3 (currently in draft) to anticipate future changes, ensuring they can map those requirements back to Revision 2 for their assessment.

Keep in mind that while you can estimate your expected CMMC level based on the nature of the information your systems process, the final required level will be specified in your DoD contract solicitation. With that in mind, here are some essential steps to become CMMC-ready:

Estimate your expected CMMC level:
Evaluate the types of information your organization processes (FCI versus CUI) to determine whether you might need Level 1, Level 2, or Level 3 compliance. Remember, the actual level will be dictated by the contract.

Fully define the scope:
Use the DoD’s CMMC Scoping Guide to clearly delineate the systems that will process, store, or transmit CUI, ensuring that all relevant assets are included.

Map your supply chain:
Identify third-party vendors and external service providers that process, store, or transmit CUI, as well as those that support your cybersecurity efforts. Ensure these entities align with the applicable CMMC requirements.

Conduct an internal assessment:
Following the guidance in the DoD’s CMMC Assessment Guide, perform a comprehensive internal review—think like an auditor—to identify gaps between your current practices and the required standards.

Plan and document compliance:
Develop a detailed strategy that outlines how you will prove compliance, including a timeline, allocated resources, and a plan for corrective actions. Begin gathering the necessary policies, procedures, and supporting documentation.

Engage a C3PAO when necessary:
If your anticipated or required CMMC level involves a third-party certification (for example, Level 2 Certification or Level 3 assessments), begin researching and contracting with a C3PAO. Note that if your contract calls for a self-assessment (such as Level 1 or Level 2 Self-Assessment), engaging a C3PAO may not be required.

Find a C3PAO in Hyperproof’s partner directory

What are the most critical CMMC control families? 

NIST SP 800-171 Revision 2—the primary standard underpinning CMMC assessments—divides its requirements into 14 families of controls (or domains). Although every family plays an important role in protecting sensitive information, many experts and industry best practices emphasize these five as especially critical:

Access Control (AC):

Account management and authentication: Implement strong controls to ensure that only authorized users gain access. This includes managing user accounts effectively and enforcing robust authentication mechanisms.

Least privilege and separation of duties: Limit user permissions to only what is necessary, reducing the risk of unauthorized actions or insider threats.

Audit logging: Collect and preserve detailed logs to support forensic analysis and ensure accountability.

Audit and Accountability (AU):

Event logging and monitoring: Maintain comprehensive logs of system activities to detect anomalies and support investigations.

Accountability measures: Ensure actions on systems are traceable to specific users, which is crucial for both compliance and incident investigations.

Configuration Management (CM):

Baseline configuration and change control: Establish secure configuration baselines for systems and enforce change management procedures to prevent unauthorized modifications.

Vulnerability management: Regularly assess and update system configurations to address emerging vulnerabilities and maintain a hardened environment.

Incident Response (IR):

Incident response planning: Develop and document a robust incident response plan that outlines clear roles, responsibilities, and procedures for managing cybersecurity events.

Training and testing: Conduct regular drills and training sessions to ensure the response team is well-prepared to handle incidents effectively when they occur.

System and Information Integrity (SI):

Malicious code protection: Deploy anti-malware solutions and other defenses to detect, block, and remediate malicious software that targets critical systems.

Continuous monitoring and integrity checks: Use automated tools to monitor system integrity and verify that data changes are properly authorized.

Data recovery and business continuity: Ensure that processes are in place to quickly recover data and maintain operations in the event of a breach or system failure.

Focusing on these five control families can provide a strong foundation for an effective cybersecurity program, addressing the prevention, detection, and response to threats targeting sensitive defense-related information. While all 14 families are integral to achieving full compliance, emphasizing these areas helps organizations build a robust defense that aligns with both CMMC requirements and overall cybersecurity best practices.

What is involved in a CMMC assessment?

A CMMC assessment is a comprehensive evaluation of your organization’s cybersecurity posture designed to verify compliance with DoD-mandated standards. The CMMC Assessment Process (CAP) guide, published by the DoD, provides detailed instructions for how these assessments should be conducted. This authoritative guide outlines everything from assessment planning and execution to evidence collection and reporting requirements. Preparing for an assessment is similar to other IT compliance reviews but has unique aspects tailored to the defense industrial base.

Key steps include:
  • Evidence collection and documentation:
    Develop and maintain a centralized repository of evidence following the CMMC Assessment Process (CAP) guide’s specifications.. This should include documented policies, procedures, system configurations, risk assessments, and testing artifacts that demonstrate compliance with NIST SP 800-171 Revision 2 requirements. The CAP guide provides specific criteria for what constitutes acceptable evidence for each assessment objective, helping organizations prepare exactly what assessors will need to verify compliance. Evidence should be organized to support each control family within your targeted CMMC level.
  • Assessment process overview:
    Whether you’re conducting a self-assessment (as required for CMMC Level 1 or Level 2 Self-Assessment) or engaging a C3PAO for a third-party certification (for CMMC Level 2 Certification or Level 3), your team should be prepared to present this evidence during the audit. Detailed guidance on the assessment process—including scoping, evidence review, and scoring methodology—is available on the Cybersecurity Maturity Model Accreditation Body’s website as well as within DoD’s official publications (32 CFR Part 170).
  • Ongoing compliance and continuous improvement:
    Achieving a successful assessment is not a one-time event. CMMC compliance is an ongoing journey that requires continuous monitoring, regular internal reviews, and annual affirmations in the Supplier Performance Risk System (SPRS). Organizations must also plan for re-assessments every three years (for Levels 2 and 3) and ensure that any identified gaps or corrective actions—such as those tracked via a Plan of Action and Milestones (POA&M)—are promptly addressed.
  • Integration with your cybersecurity program:
    Preparing for a CMMC assessment should align with your broader cybersecurity and risk management efforts. By integrating regular testing, monitoring, and documentation practices into your daily operations, your organization not only gears up for the assessment but also builds a resilient security posture that meets evolving DoD requirements.

Common challenges businesses face with CMMC certification

Decorative Business Woman checking reports

Many organizations embarking on the CMMC certification journey confront a multifaceted set of challenges. One of the foremost issues is the lack of a mature, enterprise-wide information security compliance program. Often, companies not only lack formal CMMC certification but also have limited experience with legacy frameworks—such as NIST SP 800-171 and NIST SP 800-53—that underpin today’s cybersecurity requirements.

In many cases, businesses struggle with outdated security-centric architectures and insufficient compliance management tools. Without the right technology and dedicated in-house expertise, building and sustaining an effective cybersecurity program becomes a steep uphill battle. This resource gap frequently forces companies to rely on ad hoc measures rather than a systematic approach to security, making it difficult to meet CMMC’s rigorous standards.

Another significant hurdle is the disconnect at the leadership level. Many executives underestimate the complexity of CMMC requirements and the critical importance of robust cybersecurity measures. This lack of understanding often results in insufficient budget allocations and poor strategic planning, leaving compliance gaps unaddressed. The consequences of these oversights can be severe—ranging from the loss of DoD contracts and personal or corporate liability to lasting damage to a company’s brand and reputation.

For organizations facing these challenges, partnering with external cybersecurity consultants or Managed Security Service Providers (MSSPs) is a practical solution. These experts can help narrow the scope of remediation, prioritize critical controls, and guide companies efficiently through the audit process—saving time, reducing costs, and ultimately fortifying the organization’s cybersecurity posture.

Kayne McGladrey

Kayne McGladrey

Kayne McGladrey, CISSP is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

Paula Biggs

Paula Biggs

Paula Biggs is a cybersecurity professional specializing in Governance, Risk, and Compliance (GRC) with experience guiding organizations through regulatory and cybersecurity frameworks. As a Certified CMMC Professional (CCP), Paula provides expert consulting services to help defense contractors and organizations within the Defense Industrial Base successfully prepare for CMMC Level 2 assessments.

Hyperproof for CMMC compliance

Hyperproof can help you get ready for the CMMC in the most streamlined and efficient way:

CMMC logo on a shield

Get expert assistance in putting together a project plan that gets you on track to meet CMMC requirements and your customers’ expectations

Intuitive CMMC software you can use to stand up a compliance program that meets NIST SP 800-171 and CMMC requirements

Manage compliance work seamless, as Hyperproof integrates with the productivity tools you already have

Conduct a gap assessment and identify key actions that need to be met to satisfy CMMC requirements

Quickly collect evidence to document your effort toward CMMC compliance. Reuse evidence across multiple information security/compliance audits.

Automatically generate System Security Plans for CMMC compliance

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get CMMC ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader